[isf-wifidog] How to Auth non-browser based devices

[Max Horváth]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Hi,

Benoit Grégoire wrote:

> On January 31, 2006 11:37 pm, Jason Potter wrote:
>> Hi All,
>>
>> Just an extension to the discussion below, what are the approaches to
>> giving free wifi to devices in a venue that don't have a browser.
>
> 1-Tie MAC adress(es) to a single user account who vouches for it
> (http://dev.wifidog.org/ticket/19).  Only slightly more insecure  
> than normal
> captive portal operation.

As I wrote in the ticket's comments this has one disadvantage:
The most comfortable way would be if a registered user could enter  
say 2 or 3 MAC ids in his profile. The only problem we have is, how  
to detect, if a user cheats. He could just enter the MAC id of his  
notebook and voila - he'd never see the login screen again ...
> 2-Whitelist specific servers ("perfectly" secure, allows the group  
> to ask
> money from their operators for the priviledge since they run a  
> business on
> your network).  Good for the DS and VOIP operators, doesn't work  
> for allowing
> you to connect to you own asterisk server for example.

This is the way we should go ... and about the servers: different  
groups could talk
about it with the companies and list those servers on our wiki - so  
every group
would know about them and could whitelist those servers, too ...

> 3-Whitelist specific ports (such as SIP).  Once you do that, anyone  
> can tunnel
> any kind of traffic trough them.

This should only be done in addition to point 2.

Otherwise the users could cheat. In case I know that port 5060 is  
open, for example,
I could tunnel all traffic through this port and I as a user would  
never see the portal
again ...

> 4-Don't run any authentication at all.  Works fine for those who  
> only run a
> portal to display a splash page and terms of service.

Only for the folks with a splash screen only :( ...

> I hadn't tought of Pete's solution:
> 5-Whitelist a range of MAC adresses by manufacturer.  Only works  
> when the
> manufacturer and the service to be whitelisted are the same, so it  
> would work
> for the DS, but not for a wifi phone).  Also, once the users know  
> whose
> device is whitelisted, they no longuer have to guess of find a MAC  
> adress to
> spoof.

Kinda same problem as with point one ... Once I as a user know, that  
I can use my
DS without authentication I'd just have to change the MAC of my  
notebook and I'd
be in the internet ...

> If anyone has other ideas, please speak up.  So far there is no  
> perfect
> solution.

So the only secure way I see is a combination of point 2 and 3.

Cheers, Max!

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.1 (Darwin)

iD8DBQFD4J5i+BKgC+eQ3ooRAl9RAJ9W8MYcHD3XF0clZxxrHIN50bealQCdHlw4
YB5rFew2Gq7mjbfmMF5kutw=
=Ovjz
-----END PGP SIGNATURE-----